Add an option to toggle logging in of root remotely. So one can allow

Mon Apr 30 16:48:42 2001  George Lebl <jirka@5z.com>

	* gdm/gdm.[ch], gdm/verify-(pam|crypt|shadow).c,
	  gui/gdmconfig.(c|glade):  Add an option to toggle logging in
	  of root remotely.  So one can allow local root login but disallow
	  remote root logins.

	* daemon/slave.c:  add nicer error messages to all the exec failiures

12 files changed, 68 insertions, 13 deletions

diff --git a/ChangeLog b/ChangeLog
index 038fc9bc..fb154290 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Mon Apr 30 16:48:42 2001  George Lebl <jirka@5z.com>
+
+	* gdm/gdm.[ch], gdm/verify-(pam|crypt|shadow).c,
+	  gui/gdmconfig.(c|glade):  Add an option to toggle logging in
+	  of root remotely.  So one can allow local root login but disallow
+	  remote root logins.
+
+	* daemon/slave.c:  add nicer error messages to all the exec failiures
+
 Mon Apr 30 02:34:37 2001  George Lebl <jirka@5z.com>
 
 	* config/gdm.conf.in, deamon/gdm.[ch], daemon/slave.c,
diff --git a/TODO b/TODO
index 63e899bb..2a69eedd 100644
--- a/TODO
+++ b/TODO
@@ -12,4 +12,7 @@ or public terminal use.
 Expunge explicit imlib usage from gdmlogin/gdmchooser. (This requires
 gdk-pixbuf support in GnomeIconList to do properly).
 
-when installing stuff, overwrite and store old in .orig
+xsri like logo functionality
+
+when setting a background image set it per xinerama screen rather then on
+the entire big damn thing.
diff --git a/config/gdm.conf.in b/config/gdm.conf.in
index 8c8acf5a..e632f00a 100644
--- a/config/gdm.conf.in
+++ b/config/gdm.conf.in
@@ -26,6 +26,7 @@ TimedLoginDelay=30
 
 [security]
 AllowRoot=true
+AllowRemoteRoot=true
 RelaxPermissions=0
 RetryDelay=3
 UserMaxFile=65536
diff --git a/daemon/gdm.c b/daemon/gdm.c
index a171ac52..b27b88f2 100644
--- a/daemon/gdm.c
+++ b/daemon/gdm.c
@@ -95,6 +95,7 @@ gint  GdmMaxIndirectWait = 0;
 gboolean  GdmDebug = FALSE;
 gboolean  GdmVerboseAuth = FALSE;
 gboolean  GdmAllowRoot = FALSE;
+gboolean  GdmAllowRemoteRoot = FALSE;
 gint  GdmRelaxPerms = 0;
 gint  GdmRetryDelay = 0;
 gchar *GdmTimedLogin = NULL;
@@ -160,6 +161,7 @@ gdm_config_parse (void)
     GdmTimedLoginDelay = gnome_config_get_int (GDM_KEY_TIMED_LOGIN_DELAY);
 
     GdmAllowRoot = gnome_config_get_bool (GDM_KEY_ALLOWROOT);
+    GdmAllowRemoteRoot = gnome_config_get_bool (GDM_KEY_ALLOWREMOTEROOT);
     GdmRelaxPerms = gnome_config_get_int (GDM_KEY_RELAXPERM);
     GdmUserMaxFile = gnome_config_get_int (GDM_KEY_MAXFILE);
     GdmSessionMaxFile = gnome_config_get_int (GDM_KEY_SESSIONMAXFILE);
diff --git a/daemon/gdm.h b/daemon/gdm.h
index e354241e..6db55110 100644
--- a/daemon/gdm.h
+++ b/daemon/gdm.h
@@ -113,6 +113,7 @@
 #define GDM_KEY_TIMED_LOGIN_DELAY "daemon/TimedLoginDelay=0"
 
 #define GDM_KEY_ALLOWROOT "security/AllowRoot=true"
+#define GDM_KEY_ALLOWREMOTEROOT "security/AllowRemoteRoot=true"
 #define GDM_KEY_MAXFILE "security/UserMaxFile=65536"
 #define GDM_KEY_SESSIONMAXFILE "security/SessionMaxFile=524288"
 #define GDM_KEY_RELAXPERM "security/RelaxPermissions=0"
diff --git a/daemon/slave.c b/daemon/slave.c
index 08c1864a..c7d65cfc 100644
--- a/daemon/slave.c
+++ b/daemon/slave.c
@@ -724,8 +724,9 @@ find_a_session (void)
 }
 
 /* A hack really, this pretends to be a standalone gtk program */
+/* this should only be called once forked and all thingies are closed */
 static void
-run_error_dialog (void)
+run_error_dialog (const char *error)
 {
 	char *argv_s[] = { "error", NULL };
 	char **argv = argv_s;
@@ -744,10 +745,7 @@ run_error_dialog (void)
 
 	gtk_window_set_title (GTK_WINDOW (dialog), _("Cannot start session"));
 
-	label = gtk_label_new (_("Cannot start the session, most likely the\n"
-				 "session does not exist.  Please select from\n"
-				 "the list of available sessions in the login\n"
-				 "dialog window."));
+	label = gtk_label_new (error);
 
 	gtk_container_set_border_width
 		(GTK_CONTAINER (GTK_DIALOG (dialog)->vbox), 10);
@@ -1056,19 +1054,28 @@ gdm_slave_session_start (void)
 	 * message */
 	if (strcmp (shell, "/bin/false") == 0) {
 		gdm_error (_("gdm_slave_session_start: User not allowed to log in"));
+		run_error_dialog (_("The system administrator has\n"
+				    "disabled your account."));
 	} else if (access (sesspath, X_OK|R_OK) != 0) {
+		gdm_error (_("gdm_slave_session_start: Could not find session `%s'"), sesspath);
 		/* if we can't read and exec the session, then make a nice
 		 * error dialog */
-		run_error_dialog ();
-
-		/* ends as if nothing bad happened */
-		_exit (0);
+		run_error_dialog
+			(_("Cannot start the session, most likely the\n"
+			   "session does not exist.  Please select from\n"
+			   "the list of available sessions in the login\n"
+			   "dialog window."));
 	} else {
 		execl (shell, "-", "-c", sesspath, NULL);
 
 		gdm_error (_("gdm_slave_session_start: Could not start session `%s'"), sesspath);
+		run_error_dialog
+			(_("Cannot start your shell.  It could be that the\n"
+			   "system administrator has disabled your login.\n"
+			   "It could also indicate an error with your account.\n"));
 	}
 	
+	/* ends as if nothing bad happened */
 	_exit (0);
 	
     default:
diff --git a/daemon/verify-crypt.c b/daemon/verify-crypt.c
index c591dd8f..192ef2dc 100644
--- a/daemon/verify-crypt.c
+++ b/daemon/verify-crypt.c
@@ -36,6 +36,7 @@ static const gchar RCSid[]="$Id$";
 /* Configuration option variables */
 extern gboolean GdmVerboseAuth;
 extern gboolean GdmAllowRoot;
+extern gboolean GdmAllowRemoteRoot;
 
 
 /**
@@ -100,7 +101,8 @@ gdm_verify_user (const char *username,
 	    return NULL;
     }
 
-    if ( ! GdmAllowRoot &&
+    if ( ( ! GdmAllowRoot ||
+	  ( ! GdmAllowRemoteRoot && ! local) ) &&
 	pwent->pw_uid == 0) {
 	    gdm_error (_("Root login disallowed on display '%s'"), display);
 	    if (GdmVerboseAuth) {
diff --git a/daemon/verify-pam.c b/daemon/verify-pam.c
index b0c65202..61d363f6 100644
--- a/daemon/verify-pam.c
+++ b/daemon/verify-pam.c
@@ -34,6 +34,7 @@ static const gchar RCSid[]="$Id$";
 /* Configuration option variables */
 extern gboolean GdmVerboseAuth;
 extern gboolean GdmAllowRoot;
+extern gboolean GdmAllowRemoteRoot;
 
 /* Local PAM handle */
 pam_handle_t *pamh = NULL;
@@ -199,7 +200,8 @@ gdm_verify_user (const char *username,
 	    gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, "");
     
     pwent = getpwnam (login);
-    if ( ! GdmAllowRoot &&
+    if ( ( ! GdmAllowRoot ||
+	  ( ! GdmAllowRemoteRoot && ! local) ) &&
 	pwent != NULL &&
 	pwent->pw_uid == 0) {
 	    gdm_error (_("Root login disallowed on display '%s'"),
diff --git a/daemon/verify-shadow.c b/daemon/verify-shadow.c
index 87f93cb3..63e56122 100644
--- a/daemon/verify-shadow.c
+++ b/daemon/verify-shadow.c
@@ -37,6 +37,7 @@ static const gchar RCSid[]="$Id$";
 /* Configuration option variables */
 extern gboolean GdmVerboseAuth;
 extern gboolean GdmAllowRoot;
+extern gboolean GdmAllowRemoteRoot;
 
 /**
  * gdm_verify_user:
@@ -107,7 +108,8 @@ gdm_verify_user (const char *username, const gchar *display, gboolean local)
 	    return NULL;
     }
 
-    if ( ! GdmAllowRoot &&
+    if ( ( ! GdmAllowRoot ||
+	  ( ! GdmAllowRemoteRoot && ! local) ) &&
 	pwent->pw_uid == 0) {
 	    gdm_error (_("Root login disallowed on display '%s'"), display);
 	    if (GdmVerboseAuth) {
diff --git a/gui/gdmconfig-strings.c b/gui/gdmconfig-strings.c
index 488a85b1..452ccb85 100644
--- a/gui/gdmconfig-strings.c
+++ b/gui/gdmconfig-strings.c
@@ -78,7 +78,10 @@ gchar *s = N_("Seconds before login: ");
 gchar *s = N_("Automatic login");
 gchar *s = N_("expert");
 gchar *s = N_("Options");
+gchar *s = N_("Allow logging in as root (administrator) user.");
 gchar *s = N_("Allow root to login with GDM");
+gchar *s = N_("Allow logging in as root (administrator) user from a remote host using GDM.  This is only relevant if you enable the XDMCP protocol.");
+gchar *s = N_("Allow root to login remotely with GDM");
 gchar *s = N_("Determines whether GDM should kill X clients started by the init scripts when the user logs in.");
 gchar *s = N_("Kill 'init' clients");
 gchar *s = N_("Should GDM print authentication errors in the greeter");
diff --git a/gui/gdmconfig.c b/gui/gdmconfig.c
index a60fcac9..6f3cda66 100644
--- a/gui/gdmconfig.c
+++ b/gui/gdmconfig.c
@@ -305,6 +305,7 @@ gdm_config_parse_most (void)
 
     /* Fill the widgets in Security tab */
     gdm_toggle_set("allow_root", gnome_config_get_bool(GDM_KEY_ALLOWROOT));
+    gdm_toggle_set("allow_remote_root", gnome_config_get_bool(GDM_KEY_ALLOWREMOTEROOT));
     gdm_toggle_set("kill_init_clients", gnome_config_get_bool(GDM_KEY_KILLIC));
     gdm_radio_set ("relax_perms", gnome_config_get_int(GDM_KEY_RELAXPERM), 2);
     gdm_toggle_set("verbose_auth", gnome_config_get_bool(GDM_KEY_VERBAUTH));
@@ -642,6 +643,7 @@ write_new_config_file                  (GtkButton *button,
 
     /* Write out the widget contents of the Security tab */
     gdm_toggle_write("allow_root", GDM_KEY_ALLOWROOT);
+    gdm_toggle_write("allow_remote_root", GDM_KEY_ALLOWREMOTEROOT);
     gdm_toggle_write("kill_init_clients", GDM_KEY_KILLIC);
     gdm_radio_write ("relax_perms", GDM_KEY_RELAXPERM, 2);
     gdm_toggle_write("verbose_auth", GDM_KEY_VERBAUTH);
diff --git a/gui/gdmconfig.glade b/gui/gdmconfig.glade
index cae8d9cb..c14a3e1a 100644
--- a/gui/gdmconfig.glade
+++ b/gui/gdmconfig.glade
@@ -2364,6 +2364,7 @@ This is %n
 	  <widget>
 	    <class>GtkCheckButton</class>
 	    <name>allow_root</name>
+	    <tooltip>Allow logging in as root (administrator) user.</tooltip>
 	    <can_focus>True</can_focus>
 	    <signal>
 	      <name>clicked</name>
@@ -2381,6 +2382,26 @@ This is %n
 	  </widget>
 
 	  <widget>
+	    <class>GtkCheckButton</class>
+	    <name>allow_remote_root</name>
+	    <tooltip>Allow logging in as root (administrator) user from a remote host using GDM.  This is only relevant if you enable the XDMCP protocol.</tooltip>
+	    <can_focus>True</can_focus>
+	    <signal>
+	      <name>clicked</name>
+	      <handler>can_apply_now</handler>
+	      <last_modification_time>Tue, 21 Mar 2000 21:29:53 GMT</last_modification_time>
+	    </signal>
+	    <label>Allow root to login remotely with GDM</label>
+	    <active>False</active>
+	    <draw_indicator>True</draw_indicator>
+	    <child>
+	      <padding>0</padding>
+	      <expand>False</expand>
+	      <fill>False</fill>
+	    </child>
+	  </widget>
+
+	  <widget>
 	    <class>GtkEventBox</class>
 	    <name>eventbox4</name>
 	    <tooltip>Determines whether GDM should kill X clients started by the init scripts when the user logs in.</tooltip>